It didn’t seem to work for me. Paramiko may have this ability, according to this: https://github.com/paramiko/paramiko/pull/21
Hmm, nice to see this has been added.
I’m not sure what enabling it takes, but it would probably be an option, as agent forwarding is not something we should enable by default. I am fine with additions to make this an option.
If you do “-c ssh” you can of course leverage OpenSSH to do that today, and “-c ssh” is the default on platforms that at least support ControlPersist (so it’s fast enough to not need paramiko)
Yeah, I’m on centos, but I may switch to ubuntu for the newer ssh. Agent forwarding makes remote->remote so much cleaner.
Hello,
I should be able to wrap up a patch adding agent forwarding to paramiko connection plugin in the next few days.
can you Michael choose an option name that would sound good to you (knowing that these options would be specific to paramiko since -c ssh configures this via ANSIBLE_SSH_ARGS)
There could be three levels of configurability for this thing because 3 different modifications are needed :
-
(1) remote user can use keys : need to use the paramiko AgentRequestHandler mechanism
I have a working patch for this that I need to wrap up once the option name is chosen -
(2) remote sudo_user=root can use keys
either leave that to the sudoers configuration (Defaults env_keep+=SSH_AUTH_SOCK)
or have ansible export the remote user SSH_AUTH_SOCK variable
since root can always access $SSH_AUTH_SOCK (usually /tmp/ssh-*) it works
-
(3) remote sudo_user!=root can use keys
sudo_user must be given permissions on $SSH_AUTH_SOCK by the remote user otherwise it won’t work.
I don’t quite have a pretty solution on this one. Either give wild permission on $SSH_AUTH_SOCK or use setfacl where available to limit the permission to
setfacl -m otheruser:x $(dirname “$SSH_AUTH_SOCK”)
setfacl -m otheruser:rwx “$SSH_AUTH_SOCK”
Do you want these 3 progressive levels of forwarding as 3 different options or just one big option that forwards at all levels ?
Note that in option 3, giving permissions on the $SSH_AUTH_SOCK file may be considered dangerous by some people because all the users having permissions on $SSH_AUTH_SOCK are then able to use the forwarded keys. I am not a security expert so I would be glad to hear about what seems like an acceptable solution for this problem.
Thanks
I’m ok with it being a configuration option in the [paramiko] section.
agent_forwarding=True/False/root ?
Needs to enforce the following though – It should not break on older paramikos if disabled and should warn about incompatiblity on older paramikos if so enabled.
Hello,
here is a pull request adding agent forwarding to paramiko :
https://github.com/ansible/ansible/pull/4100
I hope it meets your expectations on the ‘progressive enhancement’ aspect of things.
the options values are described in the pr.
If the implementation is considered acceptable, note that the sudo/sudo_user part could be ported to the ssh plugin.
attribution to where it belongs: part of the code was inspired by the work of Lory Hochstein on the ssh transport mentioned here - https://groups.google.com/forum/#!searchin/ansible-project/agent$20forwarding/ansible-project/cw8Sr9UvvQc/PGAxJaaAY4YJ
We can continue discussion on the pull request.
Thanks.